Long time no see, homies and homettes (probably none). Anyway, today I will do my best to explain to you one of the most widely known and used protocols for internet routing, known as OSPF. This post is not beginner friendly, and is kind of long, so hang in there. The article consists of theory and hands-on material -- the latter being my favorite.
WARNING: This is not going to be a programming-style article. You will get bombarded with a lot of theory first and then we will get our hands dirty a little bit. Unfortunately, this is how networking is; if you don't know the big picture/theory you can't really make things happen. Feel free to click away if you don't want to learn too much theory.
Let's start with an opinionated rant. Hacking or "breaking", or however you want to call it, isn't about using tools that automate certain processes in order to steal some credentials or do some recon or whatever you please. The real deal is knowing why these tools work and how. The people who make these tools know exactly what they are doing and that's why they will always be ahead of everyone who just uses the tools. So get it through your head: adding some flags on
nmap or just firing up
metasploit and selecting some modules means absolutely nothing. Again, this is my opinion. I'm not saying I'm an expert or that I know my shit. I consider myself quite a newbie, but since this is a community, I wanted to express my opinion since I'm going to connect this little rant to the purpose of this article.
So, now that I have your attention, let's get back to our topic. You want to hack a company's network or intercept their traffic, huh? Well, in order to do that, you have to actually get inside their network; and, in order to do that, you need to know how their network works.
nmap and scanning and all this crap. Let's take the hard route. And by route, I mean the OSPF way. Routers are the first line of defense. If you know how they operate, you can make things happen, if you know what I mean... Routers use routing tables in order to get you to where you want to go. A routing table is an information table used by every router in order to find the appropriate path for your request.
NOTE: Every routing protocol has an algorithm running behind it. In our case, OSPF is using Dijkstra's algorithm. If you are interested in it, be sure to check out this article made by @oaktree. It's worth the time.
Most networks nowadays use either OSPF or BGP as the main routing protocol. Some may use static routing as well. But hey, I've been talking about routing protocols without even telling you what they really do. Well, I bet most of you have guessed it already but this is my short definition:
Routing Protocol - Tell your neighbors what you know.
I'm not going to get into more detail. If you are curious about it, I invite you to do some research. Anyway, let's have a look at the picture below.
This picture is a virtual networking environment I set up in GNS3. GNS3 (Graphical Network Simulator) is one of my all-time favorite programs. Its name describes precisely what it does. I would highly recommend looking it up. I've also assigned IPs to the routers (depicted above) and I have made note of them for clarity's sake.
Before we dive into OSPF and how to get OSPF working, let's take a step back: Back in the old days, when people were turning on their routers for the first time, the routers did not know all the possible routes to every website on the Internet out of the box. People actually had to configure them.
Dammit, I spoiled the surprise. Routers knew only about the networks they were plugged into.
Now, what does OSPF do? It lets our routers have a discussion about what they think is most interesting. R1 is going to tell R2 everything it knows (and it knows about networks that it's plugged into, such as the 10.0.0 and 10.0.1 networks). Why? Because I, as an administrator, configured it to that network. Don't worry about the configuration part, it will make sense soon. Focus!
So R1 is going to say to R2 "hey mate, I know about the 10.0.0 and 10.0.1 network!" and R2 is going to reply back "fantastic! I knew about 10.0.1 but god damn I didn't know about 10.0.0 at all. I'm going to add it into my routing table and I'm going to use you as my next hop to get there because you told me about it."
Okay that's interesting and all, but that's how every routing protocol works, from a high-level perspective. What really differentiates OSPF from other routing protocols? Well, OSPF uses a "hello" packet. This packet includes all kinds of cool information, such as:
- Subnet Mask
The very first packet R1 will send is a "hello" packet. Let's talk about the "Timers" first. R1 is going to send this packet, which will have a message in it saying, "hey, I say hello every 5 seconds and I have a dead timer of 30 seconds." What does that mean to R2, though? R2 will think "well, I can expect a 'hey man' by R1 every 5 seconds to show me that he is online and available. Finally, if I don't hear about R1 in 30 seconds, I will consider him dead and I will mark his networks unreachable." That's how R1 thinks about R2 as well. The reason why this hello and the dead timer are big deals is because OSPF is quite picky its neighbor relationship establishment. If the timers in the hello packets between R1 and R2 don't match, let's say R2 says hello every 1 second, they are not going to form a neighbor relationship. Timers MUST match. FYI: you can adjust the timer settings, but let's not focus on that now...
Second, the "Area" must match. What's an Area though? Let me give you the high level view and we will discuss more about Areas in a different article.
OSPF allows you to break the network up into groups of networks. All networks in a company start kinda small and expand with time: they add more offices and they get to the point where they have 10,20,30,60 offices all around the world and it starts feeling a bit chaotic. They have all these routers connected together and the routing tables are getting bigger and bigger and bigger. Here's a fact: The bigger the routing table, the slower the router. Makes sense, right? So our goal as network administrators is to keep our routing tables small. Areas is what will help us accomplish that. As the offices grow, we split this huge group of routers into an Area, named Area 0.
Now this Area 0 happens to be really special: it's the very first area created by OSPF. In fact, you can't run OSPF without designating an area. For what we are going to talk about, everything will be in Area 0.
How big can that area be? As big as you want it to be -- 50, 100, 1000 routers? Sure, why not. Yet, as the area grows bigger, you will need more areas because the routers will start running out of memory. So, after a certain amount of offices, we, as admins, will start dividing the network into more areas.
HUGE concept incoming...
Areas show a point of summarization.
It's like a point where you are able to summarize entries in your routing table to simplify a large network. Area must match, meaning that, if R2 and R1 do not belong to the same area, they won't form neighbor relationship. Areas are a massive concept, so I will analyze them with you in a different post. Right now, let's just focus on the high-level stuff because it's more important.
Furthermore, there has to be matched authentication. For example, there can be a passcode "l337" in the packet, which would mean that two routers can only become neighbors if they both have the same passcode.
Lastly, they have to have the same Subnet Mask, meaning both routers have to belong to a /24 or /16 network, and so on. If all of these aspects match up, then the "hello" is accepted by both routers and they will start exchanging routes.
Alright, now that we are done with the theory (there is actually a lot more, but itt doesn't belong in this article), it's time to get OSPF working. I'm going to add the same picture as the 1st one so you won't have to scroll up. Keep in mind that my goal is to show you what is going on under the hood. You don't have to know the configuration commands. I just want to show you how a network engineer may have configured your router's protocols.
So let's imagine this is a network. R1 can communicate with R2 and R3, but R2 and R3 can only communicate with R1. You might think that because R1 is plugged into both networks, R2 or R3 would know about each other, yet that's not true and I'm going to prove it to you.
Remember when I said some paragraphs ago about "configuring"? Well, I did configure those routers using the Cisco IOS, which is integrated in GNS3. In other words, those routers are Cisco devices and I can configure them because their software is running inside GNS3. So I'm going to use the commands Cisco uses to configure their routers.
Now, you may be thinking, "how is this helpful? I don't even own a Cisco router." Well, that's why GNS3 exists. My goal is to teach you how it works for now and not how to do it. You may also be saying "well, not all routers are Cisco, thus, the configuration will be different." True, the commands will be different, but the OSPF procedure stays the same. In the end, I don't know everything, man!
Note: This is not a GNS3 tutorial so I won't explain how I set it up. I can make a post on how to install it, though, if anyone is interested, or you can google.
Let's get back to the proof I was talking about. I'm going to open a console connection for R2 inside GNS3. All I have configured so far is just the addresses on the interfaces which you can see in the picture above.
Note: I'm not going to get into how I assigned those IP addresses with the Cisco IOS. If you are interested in learning how to configure a Cisco device, I can make a separate series dedicated to switch/router configuration.
Anyway, I tried pinging R3 from R2 and here is the result:
As you can see: zero success, because, as I told you, R2 knows only about the network its plugged into. We would get the same response if I pinged R2 from R3. But if I ping R1 from R2, we will get a response back:
I'm not lying; they are on the same network -- therefore, success.
Since we want all the routers to be able to communicate, I think it's time we turn OSPF on. Before I get into the configuration, I will write down the steps in order to get it working.
- Turn on OSPF
- Command it what interfaces to use
Let's start with step 1. In order to do that, the command is: router + protocol + PID.
The PID(process ID) just identifies the OSPF process to the router. I would recommend using a simple number so you can remember it. I picked 1. The PID of OSPF doesn't have to be the same on every router.
Step 2 requires a command that is pretty confusing, in my opinion. I mean, it took me hours to understand it so I will try to use my own words in order to describe it. The command is:
network. It has its arguments, of course, but before I get into this, let me first tell you what it actually does.
When I type "network", our router will do 2 things:
- Identify which interface(s) to use to send hello packets. Let me show you what I mean:
What R1 will do is to start sending hello packets on the 10.0.1 interface. Why? Because it wants to find friends to exchange routes.
- Identify which network(s) to advertise.
So, when I type
network 10.0.1.2, R1 will form a neighbor relationship with R2 and will simultaneously tell other routers about the 10.0.1 network. That's how R3 will get to know about R2; R1 will advertise it.
Now, if you have understood everything so far you would notice that the last command is not going to change anything between R1 and R2 since the network command will just advertise the network 10.0.1 to R2 and R2 already knows about it. So what do we have to type?
So now R1 advertises the 10.0.0 and the 10.0.1 network to both R2 and R3. I hope it starts to make sense now. The command is incomplete, though. It still needs some arguments to let the router know what it should advertise. The full command is this. Don't freak out, I will explain it to you argument by argument.
You see that "0.0.0.255"? This is called the wild card bits. It's looking wild, right? Think of the wild card bits as identifiers.It's a way of showing what the router should really care about. First of all, wild card bits are completely opposite of the subnet mask. Let's have a loot at this example.
No comments about my drawing skills, please. If you know any better way to do this, don't embarrass me, just keep it to yourself.
Anyway, do you see those arrows pointing from the
0s to the IP octets? Think of these as someone is yelling "look at that!". This "look at that" happens 3 times since there are 3
0s. In other words, those
0s tell the router which octets to pay attention to. Thus, the 192.168.1 part. Meaning, the router will advertise the 192.168.1 network and not the just the IP. Isn't that much more convenient and more generic? Who would want to advertise the whole IP. The .255 part is saying, "don't look at that, it's pointless."
So this is telling the router to turn on OSPF on interfaces that start with 192.168.1. The .255 means, “I don’t care what is in that last octet”.
When I type this command, the router is going to look at its interfaces for 192.168.1. Once it finds it, it’s going to turn OSPF on. That’s how the wild card mask works. But what if I want to turn OSPF on on both R1’s interfaces or on every single interface of R1 for the future as well. Think of it. What would the wild card mask be? I’ll leave that to you.
You may be thinking that’s easy to do, but at the same it’s not secure. Why? Well, imagine sending hello packets on every single interface. What if there was a malicious user in a specific network doing some MiTM magic? You would be screwed. The least dangerous scenario would be that a user is messing up your routing table by acting as an OSPF router. Yes, that’s possible and you definitely don’t want that.
The last part of this command is the
area 0 argument. As mentioned before, we are going to focus on Area 0 for now. Remember, in order for routers to communicate, their areas must match.
Here is the result of the previous command, and I do it again for the 10.0.0 network so R1 can advertise it to R2.
I think you can understand what just happened. All we have to do now is to turn on OSPF for R2 as well so the routers can start exchanging routes with R1, such as the 10.0.0 network.
Both R2 and R1 have officially turned OSPF on and they just exchanged routes. How do I know that? I will prove it to you. Remember before when I tried pinging R3 from R2 but we weren't getting any response back. Well, check out this command first:
Look at that! The "show ip route" command will show us all the routes R2 knows and as you can tell, it finally knows about the 10.0.0. OSPF did its magic! The "[110/20]" part is the administrative distance and the metric/cost respectively. Let's not get into those for now, but there is a formula in order to calculate those, which you can Google it if you want to. The time has come to ping R3 from R2 and see it happening.
That was probably one of my longest posts and the toughest to explain. I know that it might be kinda boring, but hopefully you gained some knowledge from this article. OSPF is hard to grasp at first, so give it time. If you are reading this sentence, you are a true champ. I hope this article has been informative and I thank you for taking the time to read it. Feel free to ask any questions.